Volatility3 core commands

Assuming you're given a memory sample and it's likely from a Windows host, but have minimal information. Here's how you identify basic Windows host information using volatility.

$ python3 vol.py -f /path/to/memory.dump windows.info

Sometimes volatility can output/display a lot of information, and it's not necessarily easily readable. You can use the -r (render) flag to generate output in pretty (tabulated), json, csv, and quick. More information here https://volatility3.readthedocs.io/en/stable/volatility3.cli.text_renderer.html

I typically export results as csv if I want to import it into a timeline, or filter it in Excel, etc.

$ python3 vol.py -r csv -f /path/to/memory.dump windows.info

Display process information

$ python3 vol.py -f /path/to/memory.dump windows.pslist

If you want to display the same process information but include highlighted parent/child processes (as a tree)

$ python3 vol.py -f /path/to/memory.dump windows.pstree

Dump executables and associated DLLs (you need the process ID/PID first)

$ python3 vol.py -f /path/to/memory.dump -o /output/directory/ windows.dumpfiles --pid 4628

Last updated